Microsoft
has done a relatively good job building
a secure operating system in the form of Windows 7
and patching
the few flaws that have been discovered and widely
published. But like any OS there are still some gaping holes,
and with Windows 7's growing market share, there's plenty of parties
both malicious and altruistic to poke around and find those
holes.

The latest threat is a new strain of malware that takes
advantage of Windows 7's allowance of "autorun" or
"autoplay" files.

The attack vector
begins with an infected machine writing malware to an attached USB
drive. The malware program writes two driver files --
"mrxnet.sys"
and "mrxcls.sys"
– to the attached drive. These rootkit files are using a
likely stolen digital signature of Realtek
Semiconductor Corp. The drivers serve "rootkit"
functionality, disguising malware that is subsequently written to the
drive.

Packed with malware and drivers that disguise it, the
next infection will be initiated when the unsuspecting user plugs in
their USB stick into another machine. If the user follows the
prompt and selects the "Autorun" option or opts to open the
drive in Windows Explorer, the stored malware will autorun, infecting
the attached machine.

While autoplay/autorun is disabled by
default on most Windows 7 installs, browsing to the root folder of a
USB stick, or enabling autoplay on USB sticks can still trigger this
attack.

Belarus anti-virus company VirusBlokAda was the first
to spot the new malware in the wild. It published an
advisory earlier this month. Warns VirusBlokAda
researcher Sergey Ulasen, "So you just have to open infected USB
storage device using [Windows] Explorer or any other file manager
which can display icons (for i.e. Total Commander) to infect your
Operating System and allow execution of the malware."

The
story gets stranger from here, though. While one might expect
the cleverly crafted malware to be involved in a pedestrian credit
card number/personal information theft scheme, it appears to be
something far more devious. Security researcher Frank
Boldewin closely examined the loaded malware and discovered
they had a very specific target -- trying to probe and infect Siemens
WinCC SCADA systems.

What are WinCC SCADA systems used
for? They are commonly used in large factories and power
plants. The malware's focus on them makes it clear that this
effort is some sort of focused industrial espionage effort.
Only a few countries might have the savvy and interest to concoct
this kind of organized effort -- among them China.

Of course
this virus also targets pedestrian systems to reach its high profile
targets. And it seems only a matter of time before pedestrian
attacks piggyback on the infection package or are released in copycat
scheme.

Microsoft did not respond to VirusBlokAda, or thank it
for informing it about this potentially dangerous exploit.
However, Jerry Bryant, group manager of response communications at
Microsoft, told security
researcher Brian Krebs that his company was looking into it. He
states, "Microsoft is investigating new public claims of malware
propagating via USB storage devices. When we have completed our
investigations we will take appropriate action to protect users and
the Internet ecosystem."

Microsoft just released
a security
advisory which includes registry edits that users can
perform to safeguard their system. The advisory says the
exploit affects all currently supported versions of Windows and that
it's working on a fix.

"Young lady, in this house we obey the laws of thermodynamics!" -- Homer Simpson